Skip to content
Product · GTM audit

The analyst
who audits
your container.

44automated checks across tags, triggers, variables, Consent Mode v2, and security & governance — the same Google Tag Manager audit a senior GTM consultant runs on engagement day one. Shadow-workspace only. Never mutates your live container.

Checks
44
Watching
24/7
Cost
$0
Zero risk
Always
Sample report

Container audit.
Score 68 of 100.

Redacted from a real container. One critical security flag, five warnings, 5 passed — each with a one-click fix path. Fixes land in a sandbox copy of your container — your live tags are never touched until you publish.

Overall
68
.
of 100
Passed5
Warnings7
Critical3
Container
acme-web
GTM-WJ4KP9
v42 · Apr 19
All checksCriticalWarningsPassed
Tags
Duplicate GA4 configuration tags
CRIT
Tags
Custom HTML tags without consent guards
WARN
Tags
Orphaned tags (no trigger)
WARN
Tags
Legacy Universal Analytics tags
WARN
Tags
Inconsistent tag naming convention
OK
Triggers
Duplicate triggers
WARN
Triggers
Staging URL leakage
WARN
Triggers
No engagement triggers
OK
Variables
Severe PII parameter leakage risk
CRIT
Variables
Unused variables
WARN
Variables
Data layer variables without defaults
OK
Consent Mode v2
No consent mode configuration
OK
Consent Mode v2
Missing Consent Mode v2 parameters
OK
Security & governance
External/personal emails with publish rights
CRIT
Security & governance
Stale container version
WARN
Why containers go bad

Containers rot
silently.

Five marketers, three agencies, two years later — your container has 40 tags, 15 unused, and a custom HTML nobody remembers approving. We find what shouldn't be there.

Rogue custom HTML
Flags custom HTML tags that could exfiltrate data or inject third-party scripts.
Orphaned tags
Finds unused tags cluttering the container, slowing the site, and increasing review surface.
Consent gaps
Catches marketing pixels firing without consent — GDPR/CCPA exposure in plain sight.
Pair with GA4

The bugs that live
between them.

A GTM audit alone catches container-level bugs. Pair it with a GA4 audit and we add a 6th Integration chapter with 3 cross-checks that catch the bugs living between the two products — the ones that silently corrupt your revenue reporting. Included on every plan.

CROSS-001

Measurement ID drift.

Flags when your GTM container ships a GA4 ID that no longer matches your property.

CROSS-002

Key event coverage.

Flags events firing in GTM with no matching key event configured in GA4 — invisible to Google Ads.

CROSS-003

Duplicate tag firing.

Flags multiple tags emitting the same event — the classic cause of double-counted purchases.

Explore GA4 audit See every chore we automate Scored into a 6th Integration chapter on your GA4 report
Common questions

Frequently asked
questions.

What the GTM audit checks, what it needs access to, and how the fix workflow stays zero-risk.

What does a GTM audit check for?01.
Our Google Tag Manager audit runs 44 automated checks across 5 categories: Tags (duplicate GA4 Config, orphaned tags, custom HTML without consent guards, legacy Universal Analytics), Triggers (duplicate triggers, staging URL leakage, missing engagement triggers), Variables (PII parameter leakage, unused variables, data layer variables without defaults), Consent Mode v2 (gtag consent default, region-correct signals, Google Ads consent gating), and Security & Governance (external/personal emails with publish rights, stale container versions, XSS patterns, Magecart supply-chain risk).
Will the GTM audit modify my live container?02.
No. The audit is read-only. When you trigger an automated fix, NiceLookingData creates a temporary shadow workspace, injects the change, and opens a version for you to review. You always retain publish control — the live container is never mutated without your explicit approval.
How does the audit detect GTM Magecart and XSS risk?03.
We scan all Custom HTML tags for inline script patterns matching known Magecart skimmer signatures and XSS injection points. We also flag Custom HTML tags that fire without a Consent Mode v2 guard — a common vector for unauthorized third-party script execution after a CMP update.
Do I need GTM admin access to run the audit?04.
You need at least Read permission on the container. The audit pulls your container configuration via the Tag Manager API using your Google login. For automated fixes (shadow workspace creation), you need Edit access. We never request Publish access.
How is this different from the GTM Preview mode?05.
Preview mode shows you what fires on a single page during a debug session. Our GTM audit reads your entire container configuration and flags structural issues you cannot see from Preview alone — duplicate Config tags across triggers, orphaned tags with no triggers, external Gmail accounts with publish rights, container versions older than 90 days, and PII leakage in variable definitions.
Ready?
Run your first GTM audit.
Zero risk.
Connect GTM